back to article The duke of URL: Zoom meetups' info leaked out through eavesdrop hole

Video-conferencing outfit Zoom had a vulnerability in its URL scheme that miscreants could exploit to eavesdrop on private meetings. That's according to infosec biz Check Point, which says it found snoops could brute-force their way into Zoom-hosted virtual meetings that were not secured by a password. Hackers would just need …

  1. macjules
    Devil

    How unfortunate

    Just as the world's largest advertising agency (WPP) moved everyone from Webex to Zoom.

    (Spawn of Satan since we lack a Schadenfreude icon)

    1. DontFeedTheTrolls
      Headmaster

      Re: How unfortunate

      WPP being the least of your worries over security.

      I wonder how many banks, Councils, medical research organisations etc are using Zoom unsecured. You know, organisations that have real information to protect, not just somebodies advertising expectations.

  2. DontFeedTheTrolls

    In fairness to Zoom, every other Conference service I've ever used had the same problem where only a conference ID was widely used and no additional authentication of who had dialled in. Like Zoom, you could add a password, most meeting organisers chose not to.

    Security by obscurity as it were...

    1. matt 83

      Well a password is kind of just obscurity too, especially one like this that is shared with everyone and never changed.

      The problem was that a 4% hit rate wasn't nearly obscure enough. They needed to be using a lot more than 11 digits and have something in place to block people trying to brute force it.

  3. davenewman

    When you are in a meeting, you can see a list of everyone connected. So you can kick out the interlopers.

    1. Drew Scriver
      Devil

      At several companies I have worked at I've at times called into small meetings a second time from an unknown number (e.g. my home phone). After some time I would ask in the meeting whom that unknown number belonged to and whether we might have an someone eavesdropping.

      Only once did a manager remove that unknown caller from the call...

  4. bsdnazz
    Coat

    We even know where you are, that telephone box - https://www.google.co.uk/maps/@57.6841296,-6.327199,3a,75y,95.02h,69.98t/data=!3m6!1e1!3m4!1siFQM4WrFREhkIOgqllhvGQ!2e0!7i13312!8i6656

  5. This post has been deleted by its author

  6. Claptrap314 Silver badge

    Make it so they can't get in, and you cannot get out.

    I'm embarrassed that the penny did not drop for me on this one. If they were using 64-bit ids, the hit rate would be in the dirt. If they force them to rotate every month or so, even found valid ids would not last. Now, everything requires a password. How many of those will be '123'?

    The password to a meeting is nothing more and nothing less than an unstructured extension to the meeting id. Pretending otherwise will not improve the situation.

  7. IGotOut Silver badge

    I do wonder if....

    Sometimes these DDOS attacks are actually researchers battering the site trying to find problems.

  8. Frumious Bandersnatch

    What?

    Nobody in yet with the obligatory video to go with the head?

    https://www.youtube.com/watch?v=0m2ImnAEqSw

    (your DAD'S the duke of URL!)

  9. EnviableOne

    Highly sensative and Insecure?

    OK so correct me if i am wrong, but if you are discussing highly sensitive commercial or legal issues, the meeting will be secured, so the 4% they get into are just the crap, cant be arsed to come to where you are or lug this big bit of kit meetings that dont reveal anything.

  10. schmitzr2018

    use the default meeting not a personal meeting room

    Just allow zoom to use dynamic meeting Numbers and passwords makes the url un-figure-out-able.

  11. Scott 53

    Headline writing

    doesn't get better than this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like